Happy Friday! This week brings a jam-packed release for VulnCheck Initial Access Intelligence customers. Below are the team's deliverables for the past week.
In June, the team developed a deserialization exploit for Gladinet CentreStack CVE-2025-30406 that used a hard-coded key to achieve remote code execution. This month, CentreStack is back in the news after Huntress detected exploitation of CVE-2025-11371, a local file inclusion vulnerability that allows for RCE and also affects Gladinet TrioFox. There are several hundred to a few thousand of these systems exposed to the internet, depending on the query. The team's CentreStack exploit comes with PCAPs, ASM queries, and network rules.
The team added network signatures this week for CVE-2025-59287, an unauthenticated deserialization vulnerability in Windows Server Update Services that allows for RCE. Microsoft released an out-of-band update for this vulnerability on October 23, and per Huntress and NCSC-NL, exploitation is already occurring in the wild.
The team developed an exploit for a command injection issue in VICIdial, an open-source contact center solution. The vulnerability arises from a lack of user input sanitization, which allows an authenticated user to craft a malicious request to inject arbitrary commands into a filename. This vulnerability can be chained with CVE-2024-8503, which the team previously covered, to leak user credentials and leverage them with the command injection to obtain a root reverse shell without authentication. Most ASM engines show only 100 or so of these online, but Censys notably finds more than 4,000. Our exploit comes with a version scanner, PCAPs, network rules, and ASM queries.
The team also delivered an exploit this week for a trivial command injection vulnerability in China Mobile Intelligent gateways. All it takes to exploit this flaw is a command (run as root) to the /cgi-bin/shortcut_telnet.cgi endpoint. VulnCheck canaries have observed this vulnerability being exploited in the wild as of October 2025. Shodan finds about 80 internet-exposed devices. This exploit joins pre-existing PCAPs, network rules, and ASM queries.
The team recently observed exploit traffic targeting CVE-2024-22319 in VulnCheck's canary data, which led us to add coverage for the vulnerability this week. CVE-2024-22319 is a JNDI injection in IBM ODM, which, when an LDAP callback is triggered by the lookup, results in RCE by Java deserialization. The vulnerability was previously reported by Shadowserver as exploited in the wild; no specific threat actor is attributed. FOFA shows very low (single digit) internet exposure. This exploit comes with a version scanner, a PCAP, network signatures, a YARA rule, a Docker target, and ASM engine queries.
The team added an exploit for an authenticated command injection vulnerability in a variety of NETGEAR router models. On October 9, CVE-2020-27867 was added to VulnCheck KEV amid reported RondoDox botnet exploitation in the wild. VulnCheck canaries have also detected exploitation of this vulnerability coupled with CVE-2020-27866 to achieve unauthenticated RCE. Our exploit also includes network signatures, ASM queries, and a PCAP.
Finally, the team developed an exploit for CVE-2021-37305, a "sensitive" information disclosure in Chinese software JeecgBoot that we've seen in VulnCheck canary data. By hitting the unauthenticated endpoint, an attacker can disclose the administrator's phone number or enumerate other users. Though the vulnerability isn't terribly potent on its own, it can be used as a precursor to other attacks. JeecgBoot has received a number of other CVEs in the past. This exploit comes with a PCAP, network signatures, and a GreyNoise query. ASM queries have been omitted due to the variable context path in the application.